Chip and PIN is Broken!

Discussion in 'Computer Security' started by nemo_outis, Feb 12, 2010.

  1. nemo_outis

    nemo_outis Guest

    Chip used in new credit cards, etc. has been broken by Ross Anderson and
    his lads at Cambridge. Hell, I have one of these (my Visa card).

    Chip and PIN is Broken
    http://www.cl.cam.ac.uk/research/security/banking/nopin/oakland10chipbroken
    ..pdf

    Incidentally, I'd still hate these type of credit cards even if the chip
    were invulnerable. The PIN now effectively takes the place of a signature.
    But digital signatures are a curse - they cause a gigantic shift from
    traditional written signatures.

    Under the law regarding written signatures as it has stood for centuries
    everywhere, it is the person *relying* on the signature who must validate
    it and who therefore takes the hit if it is a forgery, etc. With digital
    signatures (as the PIN effectively is) the burden shifts from the recipient
    to the *issuer* - an outrageous proposition, but one that banks, etc. love.

    Regards,

    PS It's now up to *me* to prove that some frudulent use of my new chipped
    card is indeed fraudulent. But if the current crack had been done by, say,
    a Russian hacking group and not published by Cambridge, proving that fraud
    would be a burden totally beyond the capacity of any ordinary citizen to
    do.

    Moreover, the new digital signatures impose a "duty of care" that was never
    there with tradtional written signatures. I must safeguard (in principle
    forever) my PIN, whereas with traditional signatures all I have to do is
    only sign something if I wish to (with no resultant ongoing duty regarding
    the signature thereafter).
     
    nemo_outis, Feb 12, 2010
    #1
    1. Advertising

  2. nemo_outis

    unruh Guest

    ["Followup-To:" header set to alt.computer.security.]
    On 2010-02-12, nemo_outis <> wrote:
    > Chip used in new credit cards, etc. has been broken by Ross Anderson and
    > his lads at Cambridge. Hell, I have one of these (my Visa card).
    >
    > Chip and PIN is Broken
    > http://www.cl.cam.ac.uk/research/security/banking/nopin/oakland10chipbroken
    > .pdf
    >
    > Incidentally, I'd still hate these type of credit cards even if the chip
    > were invulnerable. The PIN now effectively takes the place of a signature.
    > But digital signatures are a curse - they cause a gigantic shift from
    > traditional written signatures.


    As the paper says, this is all an attempt by the banks to shuffle off
    responsibility for fraud by dumping the responsibility onto the
    customers. Instead of the merchant/bank having to verify signatures,
    they can simply verfiy a number ( a pin) and can blame the customer if
    anything goes wrong.

    >
    > Under the law regarding written signatures as it has stood for centuries
    > everywhere, it is the person *relying* on the signature who must validate
    > it and who therefore takes the hit if it is a forgery, etc. With digital
    > signatures (as the PIN effectively is) the burden shifts from the recipient
    > to the *issuer* - an outrageous proposition, but one that banks, etc. love.
    >
    > Regards,
    >
    > PS It's now up to *me* to prove that some frudulent use of my new chipped
    > card is indeed fraudulent. But if the current crack had been done by, say,
    > a Russian hacking group and not published by Cambridge, proving that fraud
    > would be a burden totally beyond the capacity of any ordinary citizen to
    > do.
    >
    > Moreover, the new digital signatures impose a "duty of care" that was never
    > there with tradtional written signatures. I must safeguard (in principle
    > forever) my PIN, whereas with traditional signatures all I have to do is
    > only sign something if I wish to (with no resultant ongoing duty regarding
    > the signature thereafter).


    Agreed. They claim it makes the cards safer, but I think the primary
    thing it does is to offload responsibility.

    >
    >
    >
    >
     
    unruh, Feb 12, 2010
    #2
    1. Advertising

  3. nemo_outis

    Gerard Bok Guest

    On Fri, 12 Feb 2010 20:53:11 GMT, unruh
    <> wrote:

    >["Followup-To:" header set to alt.computer.security.]
    >On 2010-02-12, nemo_outis <> wrote:
    >> Chip used in new credit cards, etc. has been broken by Ross Anderson and
    >> his lads at Cambridge. Hell, I have one of these (my Visa card).


    >As the paper says, this is all an attempt by the banks to shuffle off
    >responsibility for fraud by dumping the responsibility onto the
    >customers. Instead of the merchant/bank having to verify signatures,
    >they can simply verfiy a number ( a pin) and can blame the customer if
    >anything goes wrong.


    Your PIN is 4 decimal digits, isn't it ?
    So there are --worldwide-- no more than 9.999 different
    'signatures' around. Any guess as to with how many folks you
    share your 'personal electronic signature' ?

    --
    met vriendelijke groet,
    Gerard Bok
     
    Gerard Bok, Feb 12, 2010
    #3
  4. nemo_outis

    nemo_outis Guest

    (Gerard Bok) wrote in
    news::

    > On Fri, 12 Feb 2010 20:53:11 GMT, unruh
    > <> wrote:
    >
    >>["Followup-To:" header set to alt.computer.security.]
    >>On 2010-02-12, nemo_outis <> wrote:
    >>> Chip used in new credit cards, etc. has been broken by Ross Anderson
    >>> and his lads at Cambridge. Hell, I have one of these (my Visa
    >>> card).

    >
    >>As the paper says, this is all an attempt by the banks to shuffle off
    >>responsibility for fraud by dumping the responsibility onto the
    >>customers. Instead of the merchant/bank having to verify signatures,
    >>they can simply verfiy a number ( a pin) and can blame the customer
    >>if anything goes wrong.

    >
    > Your PIN is 4 decimal digits, isn't it ?
    > So there are --worldwide-- no more than 9.999 different
    > 'signatures' around. Any guess as to with how many folks you
    > share your 'personal electronic signature' ?
    >


    It's not the 4-digit problem that bothers me so much. After all, the
    chance that a thief randomly entering a pin guess for a stolen card will
    get it right is very slim.

    No, the problem is the "moral hazard" regarding the banks (and related
    financial institutions) that profit so much from these cards. In the past
    the banks have fobbed off the risk onto the merchants; with this latest
    twist the banks have fobbed off the risks onro the consumer. But, either
    way, risks never "mature' for those who profit most - the banks. The banks
    always (cleverly but dishonestly) "displace" the risks. And, aside from the
    affront this is to natural justice, it causes a more practical problem: the
    banks have little incentive to really strengthen these systems and not do a
    slipshod job.

    Regards,
     
    nemo_outis, Feb 13, 2010
    #4
  5. nemo_outis

    Gerard Bok Guest

    On Sat, 13 Feb 2010 00:38:52 GMT, "nemo_outis" <>
    wrote:

    > (Gerard Bok) wrote in
    >news::
    >
    >> On Fri, 12 Feb 2010 20:53:11 GMT, unruh
    >> <> wrote:
    >>
    >>>["Followup-To:" header set to alt.computer.security.]
    >>>On 2010-02-12, nemo_outis <> wrote:
    >>>> Chip used in new credit cards, etc. has been broken by Ross Anderson
    >>>> and his lads at Cambridge. Hell, I have one of these (my Visa
    >>>> card).

    >>
    >>>As the paper says, this is all an attempt by the banks to shuffle off
    >>>responsibility for fraud by dumping the responsibility onto the
    >>>customers. Instead of the merchant/bank having to verify signatures,
    >>>they can simply verfiy a number ( a pin) and can blame the customer
    >>>if anything goes wrong.

    >>
    >> Your PIN is 4 decimal digits, isn't it ?
    >> So there are --worldwide-- no more than 9.999 different
    >> 'signatures' around. Any guess as to with how many folks you
    >> share your 'personal electronic signature' ?
    >>

    >
    >It's not the 4-digit problem that bothers me so much. After all, the
    >chance that a thief randomly entering a pin guess for a stolen card will
    >get it right is very slim.


    Well, with 3 attempts it is 1 in 3.333. Far better than in most
    lotteries. (Do you know a system admin that allows passwords of
    less than 8 characters ? 10E14 or more guess rate :)

    >No, the problem is the "moral hazard" regarding the banks


    Vital characteristic of a signature is imho it's uniqueness.
    There is nothing unique about 4 digits ;-)
    If it is not unique, don't call it signature as it in now way
    identifies someone.

    --
    met vriendelijke groet,
    Gerard Bok
     
    Gerard Bok, Feb 13, 2010
    #5
  6. nemo_outis

    Anonymous Guest

    > Chip used in new credit cards, etc. has been broken by Ross Anderson and
    > his lads at Cambridge. Hell, I have one of these (my Visa card).
    >
    > Chip and PIN is Broken
    > http://www.cl.cam.ac.uk/research/security/banking/nopin/oakland10chipbroken
    > .pdf
    >
    > Incidentally, I'd still hate these type of credit cards even if the chip
    > were invulnerable. The PIN now effectively takes the place of a signature.
    > But digital signatures are a curse - they cause a gigantic shift from
    > traditional written signatures.
    >
    > Under the law regarding written signatures as it has stood for centuries
    > everywhere, it is the person *relying* on the signature who must validate
    > it and who therefore takes the hit if it is a forgery, etc. With digital
    > signatures (as the PIN effectively is) the burden shifts from the recipient
    > to the *issuer* - an outrageous proposition, but one that banks, etc. love.
    >
    > Regards,
    >
    > PS It's now up to *me* to prove that some frudulent use of my new chipped
    > card is indeed fraudulent. But if the current crack had been done by, say,
    > a Russian hacking group and not published by Cambridge, proving that fraud
    > would be a burden totally beyond the capacity of any ordinary citizen to
    > do.
    >
    > Moreover, the new digital signatures impose a "duty of care" that was never
    > there with tradtional written signatures. I must safeguard (in principle
    > forever) my PIN, whereas with traditional signatures all I have to do is
    > only sign something if I wish to (with no resultant ongoing duty regarding
    > the signature thereafter).


    These are very good points in my opinion. I hate promoting
    increasing of the multitude of laws we already have, but we probably
    need to lobby our representatives for legeslation to protect us here.
     
    Anonymous, Feb 13, 2010
    #6
  7. (Gerard Bok) writes:
    > Vital characteristic of a signature is imho it's uniqueness.
    > There is nothing unique about 4 digits ;-)
    > If it is not unique, don't call it signature as it in now way
    > identifies someone.


    human signature is used to imply intent, agrees, authorizes, approves.

    for pin-debit at check-out counters ... the PIN entry is part of
    two-factor authentication; the act of pressing the "yes" button (or
    touch screen field) is the part of the transaction that is taken as
    implying intent, agrees, authorizes, approves.

    an interface might have something like "please re-entry your pin if you
    agree" ... the act of PIN-entry is the part of demonstrating human
    intent (in response to the interface request).

    we had been been brought in to help word-smith the cal. state electronic
    signature legislation ... one of the points that the lawyers made was
    that there had to be some sort of human interaction to demonstrate human
    intent.

    there was some issue with the things called "digital signatures"
    .... resulting in cognitive dissonance (possibly because "human
    signature" and "digital signature" both contained the word "signature")
    .... where lots of "digital signatures" were being performed w/o the
    necessary corresponding aspect that demonstrated human intent, agrees,
    authorizes, approves.

    old reference to "yes card" presentation at cartes2002 about trivial to
    clone card.
    http://web.archive.org/web/20030417...card.co.uk/resources/articles/cartes2002.html

    there were similar presentations at the ATM Integrity Task Force
    meetings.

    --
    42yrs virtualization experience (since Jan68), online at home since Mar1970
     
    Anne & Lynn Wheeler, Feb 13, 2010
    #7
  8. nemo_outis

    nemo_outis Guest

    (Gerard Bok) wrote in
    news::

    ....
    >>> Your PIN is 4 decimal digits, isn't it ?
    >>> So there are --worldwide-- no more than 9.999 different
    >>> 'signatures' around. Any guess as to with how many folks you
    >>> share your 'personal electronic signature' ?
    >>>

    >>
    >>It's not the 4-digit problem that bothers me so much. After all, the
    >>chance that a thief randomly entering a pin guess for a stolen card
    >>will get it right is very slim.

    >
    > Well, with 3 attempts it is 1 in 3.333. Far better than in most
    > lotteries. (Do you know a system admin that allows passwords of
    > less than 8 characters ? 10E14 or more guess rate :)
    >
    >>No, the problem is the "moral hazard" regarding the banks

    >
    > Vital characteristic of a signature is imho it's uniqueness.
    > There is nothing unique about 4 digits ;-)
    > If it is not unique, don't call it signature as it in now way
    > identifies someone.
    >


    First of all the banks just call it a PIN, not a signature (they DON'T
    want to draw attention to the change!). Second, in this application the
    vital aspect of the PIN is not that it identifies someone but that it
    *authorizes* a transaction in the *name* of someone - which is precisely
    what a manuscript signature would do. In this context the PIN supplants
    the manuscript signature which would ordinarily have been required and
    is the *functional equivalent* of that manuscript signature - which is
    why it is appropriate to refer to the PIN analogically as a "signature"

    As for whether a 4-digit PIN is sufficient for ordinary commerce, it
    appears to be. One-shot guessing is not a practical strategy for card
    thieves, and certainly does not occur enough (if at all) to constitute a
    significant problem. And even 4 digits taxes the memory of a goodly
    proportion of the population, with resulting bank costs for resetting,
    etc.

    What supposedly *uniquely* identifies a person is possession of the card
    AND knowledge of the PIN. And, for that, 4 digits are more than
    sufficient. (Even, say, a 6-digit PIN might well not be unique among a
    large bank's set of cardholders - but, fortunately, uniqueness is an
    irrelevant property.)

    No, the incremental benefit of a 5, 6 or N-digit PIN would be minuscule.
    (And for the banks, not just minuscule, but actually zero or even
    negative if reset costs, etc. are considered!)

    But, as Anderson et al. and I point out, that is precisely the nature of
    the problem - the banks don't give a flying **** whether or not 4 digits
    are sufficient because they have displaced this risk (and many others)
    onto others and no longer bear it.

    Regards,

    PS The current PIN problem discussed in the paper arises, not because
    of the limited number of PIN digits, but because it is possible to
    thwart the overarching validation protocol. And that would be equally
    true for a 20-digit PIN!
     
    nemo_outis, Feb 13, 2010
    #8
  9. nemo_outis

    Jim Watt Guest

    On Sat, 13 Feb 2010 17:37:36 GMT, "nemo_outis" <> wrote:

    <snip>

    Although you are right that it shifts responsibility to the
    user rather than it being the job of the entity accepting the
    card to verify a signature, in practice the signature verification
    was often badly done as I found out using someone else's card
    by mistake one day and signing with a totally different sig
    nobody picked up on it.

    Now in the event it was fraudulent of course its harder for the
    bank to claim its the card owners fault. However even if th
    bank pays the cost of fraud, that cost comes back to the cardholders
    by way of charges.

    I never understood why photoid on cards never took off. That
    provides another security feature.
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Feb 16, 2010
    #9
  10. nemo_outis

    unruh Guest

    On 2010-02-16, Jim Watt <_way> wrote:
    > On Sat, 13 Feb 2010 17:37:36 GMT, "nemo_outis" <> wrote:
    >
    ><snip>
    >
    > Although you are right that it shifts responsibility to the
    > user rather than it being the job of the entity accepting the
    > card to verify a signature, in practice the signature verification
    > was often badly done as I found out using someone else's card
    > by mistake one day and signing with a totally different sig
    > nobody picked up on it.


    If it was badly done, the persons who did it badly paid ( the mercant or
    the bank.) If chip and pin is badly done, the user pays. Since it is the
    merchant/bank that has the control, forcing the user to pay for their
    incompetence seems a bit rich, and puts the rewards in entirely the
    wrong place ( the bank gets rewarded for their own incompetence-- they
    collect the fees etc, even if they screwed up).

    >
    > Now in the event it was fraudulent of course its harder for the
    > bank to claim its the card owners fault. However even if th
    > bank pays the cost of fraud, that cost comes back to the cardholders
    > by way of charges.


    Maybe, or maybe it comes out of theprofits. If card company A has
    competition from B ( visa from mastercard, amex, diners,...) and if
    visa's costs are way out of line they cannot pass it on, or they lose
    all their customers. Now however, they screw up and they sue you.


    >
    > I never understood why photoid on cards never took off. That
    > provides another security feature.


    Sure, but it makes issuing and reissuing harder.

    > --
    > Jim Watt
    > http://www.gibnet.com
     
    unruh, Feb 17, 2010
    #10
  11. nemo_outis

    Jim Watt Guest

    On Wed, 17 Feb 2010 02:04:07 GMT, unruh
    <> wrote:

    >> I never understood why photoid on cards never took off. That
    >> provides another security feature.

    >
    >Sure, but it makes issuing and reissuing harder.


    Not in the age of digital cameras. Natwest allow
    you to put your photo on their credit cards if you
    like. I like.

    Spain, where IS cards are mandatory but not with the
    sophistication HMG wants, its routine to ask for photo
    id when paying with a card.
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Feb 18, 2010
    #11
  12. On Thu, 18 Feb 2010 17:50:06 +0100, Jim Watt wrote:

    > On Wed, 17 Feb 2010 02:04:07 GMT, unruh
    > <> wrote:
    >
    >>> I never understood why photoid on cards never took off. That
    >>> provides another security feature.

    >>
    >>Sure, but it makes issuing and reissuing harder.

    >
    > Not in the age of digital cameras. Natwest allow
    > you to put your photo on their credit cards if you
    > like. I like.
    >
    > Spain, where IS cards are mandatory but not with the
    > sophistication HMG wants, its routine to ask for photo
    > id when paying with a card.


    Apparently you don't understand American women :)

    One reason the photoid is falling behind the scenes is the upcoming Real
    ID Card which will be the de facto ID system in America.
    --
    A fireside chat not with Ari!
    http://tr.im/holj
    Motto: Live To Spooge It!
     
    ♥Ari ♥, Feb 20, 2010
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. The Dude

    Broken pin on HDD

    The Dude, Aug 16, 2004, in forum: Computer Support
    Replies:
    10
    Views:
    5,926
    The Dude
    Aug 16, 2004
  2. lc

    Canon A70 Compact Flash slot pin broken

    lc, Jul 15, 2004, in forum: Digital Photography
    Replies:
    0
    Views:
    658
  3. JM

    Modify 24 pin PSU connector to 20 pin

    JM, Nov 24, 2006, in forum: Computer Information
    Replies:
    7
    Views:
    1,127
  4. bstransky

    Canon Powershot S1 IS - CF card reader pin is broken

    bstransky, Nov 28, 2004, in forum: Digital Photography
    Replies:
    3
    Views:
    433
    Matt Ion
    Nov 29, 2004
  5. Bigguy

    Re: 3-chip really better than 1-chip cams?

    Bigguy, Feb 4, 2005, in forum: Digital Photography
    Replies:
    7
    Views:
    425
Loading...

Share This Page